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Abstract 

A growing body of literature in networked systems research relies on game theory and mechanism 
design to model and address the potential lack of cooperation between self-interested users. Most game- 
theoretic models applied to system research only describe competitive equilibria in terms of pure Nash 
equilibria, that is, a situation where the strategy of each user is deterministic, and is her best response 
to the strategies of all the other users. However, the assumptions necessary for a pure Nash equilibrium 
to hold may be too stringent for practical systems. Using three case studies on computer security, TCP 
congestion control, and network formation, we outline the limits of game-theoretic models relying on 
Nash equilibria, and we argue that considering competitive equilibria of a more general form may help 
reconcile predictions from game-theoretic models with empirically observed behavior 



*This work is supported in part by the National Science Foundation through grants ANI-0085879 and ANI-0331659. 



1 Introduction 



Empirical evidence of phenomena such as free-riding in peer-to-peer systems 1 1 1 or unfairness in ad-hoc 
networks [ 1 8 1 challenges the traditional system design assumption that all users of a network are able and 
willing to cooperate for the greater good of the community. Hence, system architects have become increas- 
ingly interested in considering network participants as selfish ll28l or competing iBTl entities. For instance, 
in an effort to discourage free-riding, some deployed peer-to-peer systems such as KaZaA or BitTorrent O 
rely on simple incentive mechanisms. More generally, as summarized in IT3ll24ll28l . a number of recent 
research efforts have been applying concepts from game theory and mechanism design to networked sys- 
tems in an effort to ahgn the incentives of each (self-interested) user with the goal of maximizing the overall 
system performance. 

A cornerstone of game theory and mechanism design is the notion of competitive equilibrium, which is 
used to predict user behavior and infer the outcome of a competitive game. As discussed in [24|, the concept 
of Nash equilibrium is predominantly used in system research to characterize user behavior. Assuming each 
user obtains a utility dependent on the strategy she adopts, a Nash equilibrium is defined as a set of strategies 
from which no user willing to maximize her own utility has any incentive to deviate E^ . 

While Nash equilibria are a very powerful tool for predicting outcomes in competitive environments, 
their application to system design generally relies on a few assumptions, notably, that (1) each participant 
is infallible (i.e., perfectly rational), and that (2) each user has perfect knowledge of the structure of the 
game, including strategies available to every other participant and their associated utilities. There seems 
to be a class of problems for which these assumptions may be too restrictive, for instance, characterizing 
competitive equilibria in systems where participants have limited knowledge of the state of the rest of the 
network. 

As a practical example of the potential limits of a game theoretical analysis of a networked system solely 
based on Nash equilibria, one can argue that, in the case of a peer-to-peer file-sharing system that does not 
provide incentives for users to share, the unique Nash equilibrium leads to the "tragedy of the commons 
IITtI ." that is, a situation where users do not share anything to minimize the cost they incur, thereby leading 
the entire system to collapse. The mere fact that, in practice, some users are sharing files, even in peer-to- 
peer systems that do not rely on incentive mechanisms, hints that a Nash equilibrium is not actually reached. 

In this paper, we argue that successfully applying game theory in networked systems may require to 
consider competitive equilibria of a more general form than pure Nash equilibria. We illustrate our point by 
presenting three case studies, on security, TCP congestion control, and network formation, where outcomes 
predicted by Nash equilibria are not entirely correlated by empirical observations. In each case study, we 
investigate if and how more general forms of competitive equilibria can be used to better describe observed 
behavior. 

The remainder of this paper is organized as follows. In Sectional we provide some background by for- 
mally discussing the concepts of Nash equilibria and their extensions or potential alternatives. In Section |5] 
we present our case studies. Finally, in Section |4] we discuss our findings, outline a possible agenda for 
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future research, and draw conclusions from our observations. 

2 Background 

We consider strategic interactions (called games) of the following simple form: the individual decision- 
makers (also called players) of a game simultaneously choose actions that are derived from their available 
strategies. The players will receive payoffs that depend on the combination of the actions chosen by each 
player. 

More precisely, consider a set = {1, n} of players. Denote as Si the set of pure (i.e., deterministic) 
strategies available to player i, and denote as si an arbitrary member of i's strategy set. A probability dis- 
tribution over pure strategies is called a mixed strategy fjj. Accordingly, the set of mixed strategies for each 
player, Sj, contains the set of pure strategies. Si, as degenerate cases. Each player's randomization is statis- 
tically independent of those of the other players. Then, Ui represents player i's payoff (or utility) function: 
Ui{(Ti, a^i) is the payoff to player i given her strategy ((Tj) and the other players' strategies (summarized as 
(7_i). An n-player game can then be described as G = {A^; Sj, Uj, u-i}. 

Players are in a Nash equilibrium if a change in strategies by any one of them would lead that player to 
obtain a lower utility than if she remained with her current strategy |23|. Formally, we can define a Nash 
equilibrium as follows: A vector of mixed strategies a* = (crjj', cr* ) € S comprises a mixed-strategy 
Nash equilibrium of a game G if for all i G N and for all a\ G Sj, Ui{a\,a*_^) — Ui{o*,a*_j) < 0. A 
pure-strategy Nash equilibrium is a vector of pure strategies, s* G S, that satisfies the equivalent condition. 

The economics community has provided an increasing number of refinements to strengthen the concept 
of the Nash equilibrium, for example, to remove counter-intuitive or unrealistic predictions. Complementary 
to these refinements some have investigated the rational choice assumptions on which the Nash equiUbrium 
concept is built. For instance, a rational player is expected to demonstrate error-free decision-making, to 
have perfect foresight of the game and to be unbounded in her computational abilities. Intuitively, players 
such as network users or automated agents will likely deviate from these rigid assumptions. 

Consider, for example, an experienced player whose strategy choice is almost perfectly correlated with a 
Nash prediction of a game but always contains a small error. She is playing in an auction with an asymmetry 
between the expected cost of overshooting and undershooting the Nash solution. If overshooting is less 
costly, the player's strategy will most likely contain a small upward bias. If a substantial part of the other 
players shares this marginal bias the outcome of the auction can be surprisingly far away from a Nash 
prediction (HI. Similarly, in a sealed-bid auction the Nash equilibrium outcome predicts that a player with 
a lower valuation will only sometimes win the auctioned good. However, this outcome is more Ukely if 
players share little imperfections in the execution of Nash strategies 120|. 

Such systematic and non-systematic deviations and their outcomes have been motivation to formulate 
more generalized models of strategic behavior that include the notion of the Nash equilibrium as a special 
case. Examples are models that introduce (possibly small) amounts of noise into the decision-making pro- 
cess fl31l21J . These models are very useful as an empirical structure for uncovering features of payoffs from 
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field data, or to obtain relationships between observables and primitives of interest (T6i . Another set of mod- 
els derive equilibria that are near rational (3 EH- In near rational equilibria a player who is not perfectly 
maximizing her utility cannot improve her payoff by a substantial amount by playing her Nash strategy 
more accurately. While the personal losses for a player are potentially very small, the equilibria derived 
often represent substantial departures from a prediction based on perfect Nash optimizing behavior. These 
models are appropriate for the description of empirical phenomena but can also contribute explanations and 
predictions of strategic behavior. 

In the analysis we present in this paper, we will focus on a simple, but powerful model of near rationality, 
called the e-equilibrium l25l . We point out that other equilibrium concepts can also be useful in modeling 
and analyzing networked systems, but defer the analysis of their applicability to future work. 

The e-equilibrium concept is relaxing the conception of a fully rational player to a model where each 
player is satisfied to get close to (but does not necessarily achieve) her best response to the other player's 
strategies. No player can increase her utility by more than e by choosing another strategy. Therefore, 
we locate an e-equilibrium by identifying a strategy for each player so that her payoff is within e of the 
maximum possible payoff given the other players' strategies. 

Formally, an e-equilibrium can be defined as follows: A vector o/m/xe^/ifrateg/es 0"^ = (ctj^, cj^) e S 
comprises a mixed-strategy e-equilibrium of a game G if, for all i € N, for all a[ E Sj, and a fixed e > 0, 
Ui{a[,a'Li) — Ui{af,ati) < e. A pure-strategy e-equilibrium is a vector of pure strategies, G S, that 
satisfies the equivalent condition. For e = this condition reduces to the special case of a Nash equilibrium. 
Thus, one can consider e-equilibria as a more generalized solution concept for competitive equilibria. 

3 Case studies 

In this section, we present three case studies on security, TCP congestion control, and network formation. 
For each of the case studies, we describe the interaction between the different participants in terms of a 
game. We then note the discrepancies between the game outcome as predicted by a Nash equilibrium and 
the behavior observed empirically, and discuss if more general forms of equilibria can lead to more accurate 
predictions. 

3.1 Protection against security threats 

For our first case study, we look at the level of security users choose in a network subject to a security 
threat. Specifically, we focus on protection against potential distributed denial of service (DDoS) attacks. 
In the first stage of a DDoS attack, an attacker looks for a (set of) machine(s) whose control they can easily 
seize, to use as a platform to launch an attack of larger magnitude. For instance, by obtaining total control 
of a machine on a network, an attacker may be able to retrieve passwords and gain access to more secure 
machines on the same network. 

We model here a network of n users, who are all potential targets in the initial stage of a DDoS attack. 
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If we characterize the level of computer security that each user i adopts by a variable Sj, the user(s) with 
the lowest Sj (i.e., Si = Smin = niinj{sj}) will be compromised. We assume that each user can infer the 
security level Si used by every other user (e.g., by probing), and no finite security level Si can be selected to 
guarantee a protection against all attacks. We further assume that the cost of implementing a security policy 
Si is a monotonic increasing function of Sj. Specifically, to simplify the notations, we consider here that 
each user i that is not compromised pays Si to implement their security policy. The compromised user(s), 
say user j, pays a fixed penalty P > Si (for any Sj), independent of the security level Smin she has chosen. 

While very simplified, we conjecture this game is a relatively accurate model of the first stage of DDoS 
attacks that have been carried out in practice lITOl .^ We defer the study of the deployment of the attack 
beyond the first stage to future work. 

Proposition 1. The game described above has a unique pure Nash equilibrium, where all users choose an 
identical security level Si = P. 

Proposition [fl whose proof we derive in Appendix |X1 tells us that, for a Nash equilibrium to hold, all 
users have to choose the highest level of security available. However, available data from large networks, 
e.g., f8|, documents that different systems present highly heterogeneous security vulnerabilities, which in 
turn indicates that implemented security levels are highly disparate across machines. Hence, in the context 
of the security game we just described, a Nash equilibrium does not seem to accurately describe observed 
behavior. 

Some of the possible explanations for the heterogeneity of the implemented security levels can be cap- 
tured by more elaborate equilibrium models. In particular, (1) users have incomplete information on the 
levels of security deployed by other users, (2) the perceived benefit of installing security patches may be 
smaller than the overhead patching incurs, and (3) some users may be gambling (knowingly or not) on 
the seriousness of the security threats they face. These three arguments all make the case for considering 
e-equilibria with mixed strategies, rather than a pure Nash equilibrium.^ 

Proposition 2. There exist mixed- strategy e-equilibria with e < P/A where all chosen security levels are 
distributed over the interval [0, P]. 

Proposition 121 which we prove in Appendix|Al indicates that considering e-equilibria with mixed strate- 
gies allows us to predict large dispersion of the chosen security levels, even for relatively low values of e. 
This result seems to be more in line with the available measurement data. We further note that analogous 
results have been recently derived to quantitatively model price dispersion phenomena 13, where assuming 
a Nash equilibrium likewise fails to corroborate empirical measurements. 

'while this type of attaclc shares some similarities with worm propagation, notably searching for insecure machines 1221 . a 
worm typically propagates by infecting all machines on a network that are below a certain, fixed, security level, which is different 
from our hypothesis that only the machines with the lowest level of security are compromised. 

■^One could also consider pure e-equilibria, but it can be shown that, for this specific game, pure £-equilibria produce results 
very close to Proposition^ 
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One can direct two critiques at the discussion on the security game we just presented. First, the discrep- 
ancies between the behavior predicted by a Nash equilibrium and that observed in practice may be due to 
an inaccurate game model, rather than from assuming a specific type of equilibrium. Second, one can argue 
that while the assumption of perfect rationality, as required in a pure Nash equilibrium, is very debatable 
when strategies are selected by humans (such as in the security game), perfect rationality is a much more 
reasonable assumption in the case of automated agents. We attempt to address these concerns by discussing 
additional case studies in the remainder of this paper. 

3.2 TCP congestion control 

The second case study relies on a game-theoretic analysis of the TCP transport protocol (21. Each TCP 
sender relies on an additive-increase-multiplicative-decrease (AIMD) algorithm to adjust its sending rate in 
function of the congestion experienced on the path from sender to receiver. 

In O, Akella et al. present a game-theoretic analysis to model competition between different TCP 
senders for three of the most popular variants of TCP, namely, TCP Tahoe, TCP Reno and TCP SACK. In 
the TCP Game they describe, players are the TCP sources {i E {1, . . . , n}), which are allowed to adjust 
their individual additive increase (oj) and multiplicative decrease parameters. In the TCP Game, the 
utility of each player is equal to her goodput, which is defined as the total amount of data transfered over 
a time interval, minus the amount of data that had to be retransmitted (presumably because of losses in the 
network) over the same time interval. 

One of the insights presented in [ 2 1 is that, for TCP SACK, a pure Nash equilibrium results in ^ oo 
(infinite additive increase) if /3j is held fixed, while /3j ^ 1 (no multiplicative decrease) if Oj is held fixed. 
Simply stated, if all players in a TCP SACK network were behaving according to a Nash equilibrium, they 
would simply turn off congestion control, which would likely result in the network suffering from complete 
congestion collapse. However, TCP SACK is increasingly deployed on the Internet EJ, and yet, we do not 
observe congestion collapse phenomena due to misbehaving TCP sources.^ 

One of the possible reasons proposed by the authors of |2l| for the continued stable operation of the 
Internet is that a given user may face technical difficulties to modify the behavior of her machine to behave 
greedily. We submit this potential explanation can be partially captured by considering an e-equilibrium 
instead of a Nash equilibrium. The cost of modifying the behavior of a given machine can indeed be viewed 
as a switching cost, to be included in the factor e. 

For simplicity, we assume here that players can only modify their additive increase parameter a-i. (An 
analogous study can be carried out if we allow changes to /3j.) The authors of 12J show that, with TCP 
SACK, player i's utihty (goodput) is given by 

Ui[ai,a-i) = c— , 

A + Ui 

^In fact, the authors of |2 1 point out that the Nash equilibria for TCP NewReno and TCP SACK are similar. TCP NewReno and 

TCP SACK combined currently account for an overwhelming majority of all traffic on the Internet, which hints that the observed 

stable operation of the Internet probably does not result from having a mix of different TCP variants in the network. 
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where c denotes the total capacity (bandwidth-delay product divided by the round-trip-time) of the bottle- 
neck link, and A = Ylj^i '^j- Therefore, having an e-equilibrium implies that, for any a^, Ui{a^, a_j) — 
Ui{ai, u-i) < e, so that 

If we allow Oj = and a'- — > oo, an e-equilibrium can only occur for e > c, that is, when e is larger than 
the maximum utility achievable. In such a scenario, e is so large that all players select a value for their 
parameter Ui at random. 

Adding the assumption that variations of q, are bounded leads to much more interesting results.^ Specif- 
ically, let us impose a'^ — Ui < K for K £ N. For simplicity, let us set the initial values for Oj to the default 
value in TCP implementations, that is, = 1 for all i. Then, we have A = n — 1 and < < + 1. 
Substituting in Eq. (0, we have a e-equilibrium as soon as 

K 

£>c—. 
n 

Hence, in a network with a large number of TCP senders, the default TCP implementation can be an e- 
equilibrium for small values of e. This is one of the possible explanations why the predicted Nash behavior 
that users would turn off TCP congestion control primitives is not fulfilled. 



3.3 Network formation 

For our third case study, we briefly discuss network formation by self-interested parties. Following sem- 
inal work in economics |19|, network formation has lately received relatively significant attention in the 
networking research community. We refer the interested reader to recent studies, such as Q^Q, for an 
in-depth discussion of the problem, and only focus here on the potential limitations of using Nash equilibria 
in the context of network formation. 

We define a network as a set of n nodes connected by a set of k directed links (where k < 2n{n — 1)). 
Each node is used to store items that are of interest to other nodes. We follow the generic network model 
described in 15) where each node can request items, serve items, or forward requests between other nodes. As 
in 1^, we assume shortest-path routing. Using a few simplifying assumptions (e.g., all nodes are considered 
to have the same capabilities, all links have the same establishment cost, and requests for items are uniformly 
distributed over the entire network), the authors of |6| express the cost associated to each node i as 

Ci = — h lEdi^ + rEbjkii) + mdeg(z) , 
n 

where Edij is the expected value of the topological distance (hop-count) between node i and another node j, 
Ebj f:{i) is the expected value of the probability that node i is on the path between two arbitrary nodes j and 

■*Note that there are several possible justifications for bounding the variations on Oi. For instance, because obtaining perfect 
knowledge of the state of the entire network is difficult (or impossible) for a given user, each user may instead incrementally probe 
the network to discover her optimal setting for Ui. Such a probing behavior can be captured as a repeated game where, for each 
repetition, a'i ~ ai < K. 
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k, and deg(z) is the out-degree of node i, that is, the number of nodes node i links to. The constants s, I, r 
and m represent the nominal costs associated with storing an item, retrieving an item one hop away, routing 
a request between two other nodes, and maintaining a connection to another node, respectively. From this 
cost model, we can immediately define the utility of node i, Ui, as 

Ui = -Ci . (2) 

Assume that nodes can choose which links they maintain, but do not have any control over the items they 
hold, and honor all routing requests. In other words, nodes are selfish when it comes to link establishment, 
but are obedient once links are established. 

Proposition 3. With the utility junction given in Eq. (0), if m < l/n, the fully connected network where 
each node links to every other node is a unique pure Nash equilibrium. 

Proposition 4. If m > I / n, the star-shaped network, where all links connect to or from a central node, is a 
pure Nash equilibrium. 

Propositions 13 and I3J whose proofs are in Appendix IbI tell us that, if maintaining links is cheap, or if 
the network is small, the only Nash equilibrium is the fully connected network. If maintaining links is more 
expensive, or if the network is large, a star-shaped network is a possible Nash equilibrium.^ While the star 
may not be a unique Nash equilibrium, the high aggregate utility of the star j6| suggests it may dominate 
other potential Nash equilibria. We note that the authors of fl^ obtain comparable results using a slightly 
different cost model. 

Thus, we would expect predominance of fully-connected or star-shaped networks in practice. While 
these types of topologies can indeed be found in existing networks (e.g., many small local area networks use 
star topologies), measurement studies of Internet topologies exhibit much more varied results fl^. Among 
the reasons why Internet topologies do not solely consist of an interconnection of star-shaped and fully 
connected networks, one can cite capacity constraints ||7J or monetary incentives. 

While proposing a game-theoretic model that accurately captures these additional factors is outside of 
the scope of this paper, we simply point out that, if instead of considering Nash equilibrium, we consider 
an e-equilibrium, then, for any m € [l/n — e,l/n + e], any network topology constitutes an e-equilibrium. 
(This can be proven by simply including e in all the derivations of Appendix|Bl) Additionally, if, to account 
for failures in link establishment due for instance to lossy channels, we allow nodes to use mixed strategies 
instead of being restricted to pure strategies, we conjecture that the range of possible values for m such that 
any network is an e-equilibrium is much larger than 2e. 

The outcome of this third case study is that allowing small deviations from Nash equilibria can result in 
obtaining very different network topologies at the equilibrium. This is something a network designer may 
want to keep in mind if her objective is to have self-interested nodes form a particular topology. 
^In the limit case where m is exactly equal to l/n, any network constitutes a Nash equilibrium. 
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4 Discussion 



We have shown through case studies that considering competitive equihbria of a more general form than 
pure Nash equihbria can be beneficial in systems research. In particular, we discussed how allowing players 
to slightly deviate from their optimal utihty can help reconcile game-theoretic models and observed player 
behavior. 

We note that, even in games for which a pure Nash equilibrium is undesirable from the system designer's 
perspective, near rational players may actually settle for a desirable outcome. This is a possible explanation 
why the Internet does not suffer from congestion collapse, despite the inefficiency of the Nash equilibrium in 
the TCP SACK game. Conversely, potentially desirable outcomes associated with a Nash equilibrium may 
prove difficult to reach unless all players are perfectly rational. The security game we described presents an 
instance of such a phenomenon. Thus, it appears that taking into account uncertainty factors can be useful 
in both game specification and mechanism design. 

An alternative to modeling near rationality is to consider fully specified games, which capture all factors 
with any conceivable influence on the game outcome. However, we argue that the two approaches are not 
exclusive. In fact, refinements to the game description are probably of interest when the near rationality 
assumption yields substantial deviations from the outcome predicted by a Nash equilibrium. Research on 
bounded-reasoning and bounded-optimality models l26l provides a sohd framework for such refinements. 

As a follow-up on our case studies, we are interested in gathering experimental data, through user sur- 
veys, on how security levels are chosen in practice, and in investigating how well this data can be described 
using game-theoretic models. We are also planning on conducting simulation studies to assess the actual 
impact of uncertainties and of mixed strategies on network formation. 

Last, we believe that this research has uncovered a few open problems that may warrant future investiga- 
tion. First, our case studies seem to show that considering other types of equilibria besides Nash equilibria 
can help expand the applicability of game-theoretic models to networked systems. While the e-equilibrium 
used in this paper is an interesting tool, many other equilibrium models have been investigated in the htera- 
ture, e.g., jUEII^ESl- We conjecture that different types of equilibrium may be appropriate for different 
networking problems, and believe that providing a classification of networking problems according to the 
specific types of equilibrium that best characterize them would be valuable. 

More generally, one can also ask how a game-theoretic model can capture that the rationality of each 
participant may vary across users: some users may be obedient, some others may be fully rational, some may 
be faulty 1131 . Finding if and how game-theoretical models can accommodate for heterogeneous populations 
of players may help us design better systems, and certainly poses a number of interesting research questions. 
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A Proofs of Propositions [1] and HI 

We first consider that users are only allowed pure strategies, and prove Proposition [2 

Proof of Proposition\I] Without loss of generality, we assume that users {1,... ,k}, with 1 < k < n, 
choose a security level Smin < Si for all i G {k + 1, . . . , n}. Thus, each user i for i G {1, . . . ,k} is 
compromised, and has a utility Ui = —P. Users in i G {k + 1, . . . ,n} cannot be compromised because 
S'i > Smin and therefore have a utility Ui = — Sj. 

Suppose a user i in {1, . . . , A;} were to increase her security level to Si — Smin ~l~ ^ for /i > 0. User i's 
utility would become — Smin — h. However, because the original constellation of security levels forms a 
Nash equilibrium, we know that such a change of strategy results in a decrease of user i's utility for any 
h > 0. That is, for any h > 0, 

-Smin -h + P<0, 

which reduces to Smin > P — hfor any /i > 0, so that Smin > P by continuity. By hypothesis, s^nm < P, 
which implies that Smin = P- Since for any i, Smin ^ Si < P, we obtain k = n, and, for any i, Si = P is 
the only possible Nash equilibrium. The utility of each user is Ui = —P, and cannot be increased by picking 
a different security level, which confirms that Si = P for all i constitutes a Nash equilibrium. □ 
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Suppose now that users choose their security level probabilistically. More precisely, the probability that 
user i picks a security level Sj below a value s is characterized by the cumulative distribution function (c.d.f.) 

Fs^{s)=Pr[si < s]. 



Proof of Proposition^ Consider the following continuous c.d.f. Fs^{s 



( if s < 0, 

l-(l-;^)^ ifO<S<P, (3) 



,1 if s > P. 

We use Eui{s) to denote the expected value of the utility Ui{s) in function of a security level s. Because 
Ui{s) = —P if all users j i choose security levels higher than s, and Ui{s) = —s otherwise, we have 

Eui{s) = -P{Pr[sj > - s(l - {Pr[sj > s])"-^) , 

which can be expressed in terms of F,. (s) as 

Eu,is) = -P(l - F,^{s)r-' - sil - (1 - F.MT-') ■ (4) 

Substituting Fg^ (s) by its expression given in Eq. Eq. (|4ji reduces to 

s ' 



Euiis) = -P + s [I p 

A study of the variations of Eui{s) in function of s E [0, P] indicates that Eui{s) > Eui{0) = —P and 
that Eui{s) < Eui{P/2) = — 3P/4. Thus, if we have e = P/4, any variation of the expected utility is 
smaller e, which characterizes an e-equilibrium. In other words, we have shown, by providing a specific 
c.d.f. Fs^{s), that there exist e-equilibria with e < P/4 where the security levels si can be spread out over 
the entire interval [0, P]. Note that we only present an existence proof here. It is unclear whether the chosen 
c.d.f Fs^{s) is an accurate depiction of how security levels are chosen in reality, and it is likewise entirely 
possible that there exist other distributions of the security levels over [0, P] that result in e-equilibria for 
e < P/4. □ 



B Proofs of Propositions |3l and SI 

Here, we first show that the fully connected network is the only Nash equilibrium if and only if m < l/n, 
before showing that, if m > l/n, the star-shaped network characterizes a Nash equilibrium. 

Proof of Proposition^^ In a fully connected network, no node can create additional links. If a given node i 
removes one of its links, deg(z) decreases from (n — 1) to (n — 2), but, at the same time, one of the nodes 
i' ^ lis now at a distance of 2 from i. Thus, Edij increases from 1 to 

n- 1 2 1 

Ed^j = + - = 1 + - , 

n n n 
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and the difference in utility for node i, between the strategy of removing one link and the strategy consisting 
in maintaining all links, ism—l/n. To have a pure Nash equilibrium, we therefore need to have m—l/n < 0, 
which is true if and only if m, < l/n. 

Suppose now that we have m < l/n, and a network that is not fully connected. In particular, consider 
that a node i can decide whether to create a link to to another node i' ^ i. Before addition of the link i i', 
i' is at a distance 2 < dj^j' < n — 1 of 1 After creation of the link i i' , i' is at a distance 1 of i. Thus, by 
creating the link i — > i' , Edij at least decreases by (2 — l)/n = l/n. Adding the link i —>■ i' also results 
in deg(i) increasing by one, so that that the addition of the link i ^ i' eventually results in a change in the 
node i's utility equal to — m + l/n, which, by hypothesis, is strictly positive. Hence, node i always has an 
incentive to add links to nodes it is not connected to. Using the same reasoning for all nodes, we conclude 
that the fully connected network is the unique Nash equilibrium if ni < l/n. □ 

Consider now a star-shaped network, where all links connect to or from a central node, say node 0, and 
assume that ni > l/n. 

Proof of Proposition^ Node is fully connected to the rest of the network, and therefore cannot create 
additional links. If node removes one of its links, one of the n — 1 other nodes becomes unreachable, 
which implies EdQj — > oo, and uq — oo. Thus, node has no incentive in modifying its set of links. 
Likewise, peripheral nodes do not remove their (only) link to the central node, to avoid having their utility 

Ui — > — oo. 

Suppose now that a peripheral node i creates an additional link to another peripheral node i' ^ i. An 
argument identical to that used in the proof of Proposition|3lshows that the addition of the link i — > results 
in a change in the node i's utility equal to —m + l/n. Here, however, ni > I / n, so that —m + l/n < 0, and 
node i has no incentive in adding the link i i'. Thus, the star-shaped network is a pure Nash equilibrium, 
which may not be unique. □ 
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